[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
This bug was fixed in the package tracker-miners - 3.4.3-1ubuntu1 --- tracker-miners (3.4.3-1ubuntu1) lunar; urgency=medium [ Denison Barbosa ] * debian/patches/ubuntu-fix-tracker-extract-start-order.patch: Fix tracker-extract.service WantedBy target so that gvfsd has access to KRB5CCNAME. (LP: #1779890) -- Didier Roche Tue, 21 Mar 2023 15:04:35 +0100 ** Changed in: tracker-miners (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to tracker-miners in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
** Package changed: gvfs (Ubuntu) => tracker-miners (Ubuntu) ** Changed in: tracker-miners (Ubuntu) Assignee: (unassigned) => Denison Barbosa (justdenis) -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
So, I was investigating this issue for a while and after some debugging of journalctl --user and dbus, it's possible to see that the gvfs-daemon.service was being started too early due to another tracker: "tracker-extract-3.service", which has WantedBy=default.target. This default value of default.target is graphical.target, and that is also too early for gvfsd to be able to get the correct environment. So, after disabling tracker-extract-3.service, changing its Wantedby to gnome-session.target and then reenabling it, the gvfsd service is now started with the right environment. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
Hi Sergio, I tried your workaround, but the KRB5CCNAME environment variable is not set, because I don't use krb5-user and libpam-krb5. In my case the authentication is made by sssd-krb5 and the kerberos ticket is stored in /tmp/krb5cc_... -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
I found something odd... Setting KRB5CCNAME in /etc/environment does work, but setting "default_ccache_name" in /etc/krb5.conf doesn't. In theory, when KRB5CCNAME isn't set, kerberos should use that value for the cache file. And although the command line tools do use it, it seems that gvfsd doesn't... -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
If you try my line, be sure to create the folder ~/kerberos before, so maybe a better alternative would be the line KRB5CCNAME=${HOME}/.config/krb5cc_${LOGNAME} -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
I found a workaround for this: to define the KRB5CCNAME environment variable at /etc/environment.d/91kerberos.conf In my case, I store the cache file at ~/kerberos, so I set the content of that file to: KRB5CCNAME=${HOME}/kerberos/krb5cc_${LOGNAME} So, if my username is "username", this results in the environment variable set to /home/username/kerberos/krb5cc_username After doing this, the tickets are preserved between reboots. Can anybody test this to ensure that it fixes the problem, please? -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
** Tags added: dt-798 -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
Is this bug still being worked on? I'm running into the issue. Took me a couple of days before I found this bug here. I've applied the workaround from Val (vk1266) listed on 2020-05-28 and that works, problem is not visible anymore. Can I be of assistance in anyway? Have an environment where I can repro the issue consistently. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
** Changed in: gvfs Status: Unknown => New -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
Hi renbag, Thanks for attaching your smb.conf and sssd.conf, I will try add them into my reproducer and see if I get closer to seeing the problem. Maybe when you log in, smbd mounts the samba shares to /home/aduser/{Public},{Shared} before kerberos manages to acquire a new ticket and place it in /tmp, so gvfs doesn't get KRB5CCNAME set. Maybe on your faster system, it can get the kerberos ticket before smbd starts mounting shares. This is still a race condition where gvfs is starting too early though. Let me re-adjust my reproducer, and I will let you know how I get on. Thanks, Matthew -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
I tried this to check if the problem is really the slow writing of the kerberos ticket to the disk: disable the workaround in /etc/systemd/user/gvfs-daemon.service reboot the slow machine connect to the slow machine with ssh as "aduser" (a kerberos ticket is acquired and written to /tmp/krb5cc_1136602666_6v25tM and gvfsd is started) from the ssh session: killall gvfsd login as aduser in the normal graphical console of the slow machine After login, Nemo is able to browse the network without asking username and password. Note, however, that after login, the /tmp/krb5cc_1136602666_6v25tM ticket is replaced by a new one and it is not possible to browse the network every time a new reboot and a new login is made. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
** Attachment added: "AD_installed_packages.txt" https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1779890/+attachment/5575198/+files/AD_installed_packages.txt -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
** Attachment added: "smb.conf" https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1779890/+attachment/5575197/+files/smb.conf -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
** Attachment added: "sssd.conf" https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1779890/+attachment/5575196/+files/sssd.conf -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
** Attachment added: "1641_environ_slow-machine_with-workaround.txt" https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1779890/+attachment/5575194/+files/1641_environ_slow-machine_with-workaround.txt -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
** Attachment added: "psauxf_slow-machine-with-workaroud.txt" https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1779890/+attachment/5575193/+files/psauxf_slow-machine-with-workaroud.txt -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
** Attachment added: "psauxf_fast-machine-no-workaroud.txt" https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1779890/+attachment/5575195/+files/psauxf_fast-machine-no-workaroud.txt -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
** Attachment added: "1274_environ_slow-machine_no-workaround.txt" https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1779890/+attachment/5575192/+files/1274_environ_slow-machine_no-workaround.txt -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
** Attachment added: "psauxf_slow-machine-no-workaroud.txt" https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1779890/+attachment/5575188/+files/psauxf_slow-machine-no-workaroud.txt -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
Hi Matthew, I report the complete configuration of the machine in which I see the problem. The machine is an Optiplex 745, with an Intel Core2 6320 CPU, 4 GB RAM and a rotational HD, which I use as a test box for Ubuntu 22.04. It was joined to an AD domain with the "net ads join -U aduser" command and uses sssd for authentication and samba and winbind for sharing folders. The minimun number of iterations needed for the ExecStartPre=bash -c "for i in echo {1..20} ; do if [ $(env | grep KRB5CCNAME) == "" ]; then sleep 0.2 ; fi ; done" command to work is 15, so it's a delay of about 3 s. I normally do not see the bug in my personal workstation, which runs Ubuntu 20.04 and is a much faster machine (Ryzen 5 with nvme SSD). From the logs I can see that gvfsd is correctly started by systemd --user also in all my cases; so I suspect that the problem is that, with the slow machine, the kerberos ticket needed by gvfsd is actually written to the hard disk with too much delay. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
Hi everyone, Fady, renbag, I have been working on this bug on and off for a little while now, but I am stuck because I can't reproduce what you are all seeing. Having a reproducer will greatly speed up getting a fix created for this issue. In my client gvfsd is always started via systemd --user, so I must be configuring something differently. Can you try out my reproducer and let me know what you are configuring differently? Instructions to reproduce: You will need a 20.04 server instance, and a 20.04 Desktop instance. To set up the server: 1) Create a fresh 20.04 server instance 2) sudo apt update 3) sudo apt upgrade 4) sudo hostnamectl set-hostname samba-dc 5) sudo vim /etc/hosts Add an entry with its IP address, e.g.: 192.168.122.199samba-dc samba-dc.example.com 6) sudo apt install -y samba smbclient winbind libpam-winbind libnss-winbind krb5-kdc libpam-krb5 Note: skip config of kerberos KDC. 7) sudo rm /etc/krb5.conf 8) sudo rm /etc/samba/smb.conf 9) sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=samba-dc.EXAMPLE.COM --domain=SAMBA --adminpass=Password1 10) sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf 11) sudo systemctl mask smbd nmbd winbind 12) sudo systemctl disable smbd nmbd winbind 13) sudo systemctl stop smbd nmbd winbind 14) sudo systemctl unmask samba-ad-dc 15) sudo systemctl start samba-ad-dc 16) sudo systemctl enable samba-ad-dc 17) sudo reboot 18) sudo systemctl stop systemd-resolved 19) sudo systemctl disable systemd-resolved 20) cat << EOF >> /etc/resolv.conf nameserver 192.168.122.199 search SAMBA EOF 21) sudo reboot 22) host -t SRV _ldap._tcp.samba-dc.example.com _ldap._tcp.samba-dc.example.com has SRV record 0 100 389 samba-dc.samba-dc.example.com. 23) $ smbclient -L localhost -N Anonymous login successful Sharename Type Comment - --- sysvol Disk netlogonDisk IPC$IPC IPC Service (Samba 4.13.17-Ubuntu) SMB1 disabled -- no workgroup available 24) $ smbclient //localhost/netlogon -UAdministrator -c 'ls' Enter SAMBA\Administrator's password: . D0 Mon Feb 28 04:23:22 2022 .. D0 Mon Feb 28 04:23:27 2022 9983232 blocks of size 1024. 7995324 blocks available 25) kinit administrator Password for administra...@samba-dc.example.com: Warning: Your password will expire in 41 days on Mon Apr 11 04:23:27 2022 26) klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: administra...@samba-dc.example.com Valid starting ExpiresService principal 02/28/22 04:32:47 02/28/22 14:32:47 krbtgt/samba-dc.example@samba-dc.example.com renew until 03/01/22 04:32:44 27) Create a share: 28) sudo mkdir -p /srv/samba/Demo/ 29) sudo vim /etc/samba/smb.conf [Demo] path = /srv/samba/Demo/ read only = no 30) sudo chmod 0770 /srv/samba/Demo/ Install a fresh 20.04.4 Desktop instance, and run the following: 31) sudo apt install realmd smbclient 32) sudo vim /etc/hosts Add an entry with its IP address, e.g.: 192.168.122.199samba-dc samba-dc.example.com 33) sudo realm join --user=Administrator SAMBA-DC.EXAMPLE.COM $ smbclient -U Administrator //samba-dc.example.com/demo Enter WORKGROUP\Administrator's password: Try "help" to get a list of possible commands. smb: \> ls . D0 Mon Mar 7 15:20:30 2022 .. D0 Mon Mar 7 15:20:30 2022 9983232 blocks of size 1024. 7686220 blocks available $ smbclient //samba-dc.example.com/demo -k gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT session setup failed: NT_STATUS_INVALID_PARAMETER Now open Nautilus, add smb://samba-dc.example.com/demo as a share, and you will be faced with a dialog box asking for username / password credentials. Close Nautilus. Let's get a kerberos ticket: $ kinit administra...@samba-dc.example.com Password for administra...@samba-dc.example.com: Warning: Your password will expire in 11 days on Mon 11 Apr 2022 16:23:27 $ smbclient //samba-dc.example.com/demo -k Try "help" to get a list of possible commands. smb: \> ls . D0 Mon Mar 7 15:20:30 2022 .. D0 Mon Mar 7 15:20:30 2022 9983232 blocks of size 1024. 7616832 blocks available 34) Open Nautilus, add smb://samba-dc.example.com/demo as a share, and it will open correctly using kerberos credentials. When I look at my process list, gvfsd is where it is suppose to be, under the systemd user session: $ ps auxf ... ubuntu 1207 0.5 0.2 19008 10128 ?Ss 12:12 0:00 /lib/systemd/systemd --user ubuntu 1208 0.0 0.0 179632 3544 ?S12:12 0:00 \_ (sd-pam) ubuntu
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
I see the same problem with Ubuntu 20.04 and 22.04, inside an Active Directory domain. With slow machines (e.g. with rotational hard disks) it is always present; with fast machines (with SSDs) it is randomly present, maybe because it depends also on the time needed to contact the domain controller. (I'm using a cinnamon desktop and I do not have ibus installed) I have applied the following workaround: copy /usr/lib/systemd/user/gvfs-daemon.service to /etc/systemd/user/gvfs-daemon.service insert in the last file the following line, at the start of the [Service] section: ExecStartPre=bash -c "for i in echo {1..20} ; do if [ $(env | grep KRB5CCNAME) == "" ]; then sleep 0.2 ; fi ; done" In this way it is possible to browse the network with Nemo or Nautilus, without asking for user authentication. When the workaround is not present I see this message in /var/log/syslog: Mar 30 10:30:36 pc000327 gvfsd[2656]: got no contact to IPC$ Mar 30 10:30:39 pc000327 gvfsd[2672]: Kerberos auth with 'aduser@WORKGROUP' (WORKGROUP\aduser) to access '10.1.0.107' not possible (Here kerberos is not aware of the real domain name and tries the generic WORKGROUP) I report here also the relevant processes in the case of no workaround: USER PID %CPU %MEMVSZ RSS TTY STAT START TIME COMMAND ... root 977 0.0 0.4 78692 19508 ?Ss 12:52 0:00 /usr/sbin/winbindd --foreground --no-process-group root 985 0.0 0.2 78596 11168 ?S12:52 0:00 winbindd: domain child [PC000327] root 989 0.1 0.7 105008 28716 ?Ss 12:52 0:00 /usr/sbin/smbd --foreground --no-process-group root 990 0.0 0.4 79840 17180 ?S12:52 0:00 winbindd: domain child [DOMAIN] root 994 0.0 0.4 80464 16344 ?S12:52 0:00 winbindd: idmap child root1002 0.0 0.5 97132 20524 ?S12:52 0:00 /usr/lib/x86_64-linux-gnu/samba/samba-bgqd --ready-signal-fd=48 --parent-watch-fd=12 --debuglevel=0 -F root1014 1.2 2.5 153464 99180 ?S12:52 0:01 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files root1015 0.0 0.3 98056 14612 ?S12:52 0:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files root1021 0.1 0.2 57304 8144 ?Ss 12:52 0:00 /lib/systemd/systemd-logind root1121 15.2 2.7 272756 108420 ? S12:52 0:18 /usr/libexec/sssd/sssd_be --domain addomain.it --uid 0 --gid 0 --logger=files root1213 0.0 0.2 190492 11168 ?Sl 12:53 0:00 lightdm --session-child 12 19 root1271 0.0 0.4 138968 16544 ?Ss 12:53 0:00 /usr/libexec/sssd/sssd_pac --logger=files --socket-activated aduser 1279 0.5 0.2 17388 10136 ?Ss 12:53 0:00 /lib/systemd/systemd --user aduser 1292 0.6 0.1 29736 5824 ?Ss 12:53 0:00 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only aduser 1294 0.0 0.1 241124 7680 ?Sl 12:53 0:00 /usr/bin/gnome-keyring-daemon --daemonize --login aduser 1298 0.1 0.2 240844 8672 ?Ssl 12:53 0:00 /usr/libexec/gvfsd aduser 1305 0.0 0.1 380884 7012 ?Sl 12:53 0:00 /usr/libexec/gvfsd-fuse /run/user/1136602666/gvfs -f aduser 1314 0.6 0.6 376912 27500 ?Ssl 12:53 0:00 cinnamon-session --session cinnamon aduser 1326 1.5 0.6 707460 26600 ?SNsl 12:53 0:00 /usr/libexec/tracker-miner-fs-3 aduser 1372 0.0 0.2 325748 10224 ?Ssl 12:53 0:00 /usr/libexec/gvfs-udisks2-volume-monitor and when the workaround is present: USER PID %CPU %MEMVSZ RSS TTY STAT START TIME COMMAND ... root 873 0.4 2.5 153440 98936 ?S12:43 0:01 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files root 874 0.0 0.3 98068 14344 ?S12:43 0:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files root 885 0.0 0.3 70704 15060 ?Ss 12:43 0:00 /usr/sbin/nmbd --foreground --no-process-group root 973 0.0 0.4 78692 19632 ?Ss 12:43 0:00 /usr/sbin/winbindd --foreground --no-process-group root 981 0.0 0.2 78596 11108 ?S12:43 0:00 winbindd: domain child [PC000327] root 982 0.0 0.4 79844 17164 ?S12:43 0:00 winbindd: domain child [DOMAIN] root 986 0.0 0.7 105008 28736 ?Ss 12:43 0:00 /usr/sbin/smbd --foreground --no-process-group root1001 0.0 0.4 80464 16344 ?S12:43 0:00 winbindd: idmap child root1004 0.0 0.5 97132 20376 ?S12:43 0:00 /usr/lib/x86_64-linux-gnu/samba/samba-bgqd --ready-signal-fd=48 --parent-watch-fd=12 --debuglevel=0 -F root1010 0.0 0.2 249880 8900 ?Ssl 12:43 0:00 /usr/libexec/accounts-daemon root1013 0.0 0.2 57312 7968 ?Ss 12:43 0:00
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
> It's being D-Bus activated by things early in the startup of the > session. By disabling tracker or whatever you are stopping that D-Bus > activation. Indeed, i've seen that. But i actually intended to say tracker, not gvfs. I see little point in starting tracker before gnome-session. But i'm probably missing something. Regards, Julien -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
Re: [Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
On Tue, Nov 17, 2020 at 07:50:20AM -, Julien Blanc wrote: > Same issue here. > > gvfsd is started by tracker-miner-fs. Disabling it made it work (note > that i also made the /etc/pam/systemd-user pam_sss change), ie gvfsd now > correctly has access to the kerberos token. > > I'm wondering why gvfsd is started by systemd-user and not gnome- > session. Changing that may be an acceptable workaround until a better > solution is found. It's being D-Bus activated by things early in the startup of the session. By disabling tracker or whatever you are stopping that D-Bus activation. Cheers, -- Iain Lane [ i...@orangesquash.org.uk ] Debian Developer [ la...@debian.org ] Ubuntu Developer [ la...@ubuntu.com ] -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
Same issue here. gvfsd is started by tracker-miner-fs. Disabling it made it work (note that i also made the /etc/pam/systemd-user pam_sss change), ie gvfsd now correctly has access to the kerberos token. I'm wondering why gvfsd is started by systemd-user and not gnome- session. Changing that may be an acceptable workaround until a better solution is found. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
I think maybe sssd needs to learn how to set the environment in "session" mode. I did ask some people at Canonical who know about this project, hopefully they will have some advice soon. :) -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
@laney: I have disabled all my workarounds and placed "session optional pam_sss.so" just before "session optional pam_systemd.so" in /etc/pam.d/systemd-user on my Ubuntu 18.04.5 system. Checking "journalctl --user" for gfvs-daemon entries: Nov 02 22:45:31 vk2011 dbus-daemon[6128]: [session uid=1000 pid=6128] Activating via systemd: service name='org.gtk.vfs.Daemon' unit='gvfs- daemon.service' requested by ':1.1' (uid=1000 pid=6121 comm="/usr/bin /ibus-daemon --daemonize --xim --address u" label="unconfined") And, KRB5CCNAME is not in the environment for gvfsd, unfortunately. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
I think anything which causes gvfs to start "early enough" (before gnome-session has a chance to upload the environment to systemd) will trigger this problem. So anything which starts from e.g. default.target, or maybe there are things like ibus which are started outside of systemd's control. I did a little bit of investigation on the upstream bug, and I think what is happening is that we don't run pam_sss for systemd-user sessions - it's not in /etc/pam.d/systemd-user or included in there e.g. via common-session-noninteractive. That means that when the session starts `systemd --user`, in its own `systemd-user` PAM session, the env var is not instantiated there and so it's not available to stuff that starts really early. Early - but not early enough - in the startup process, gnome-session uploads environment variables into the systemd environment. Anything which starts after that will get the right environment. In other words this is a race condition. Can someone experiencing this bug please undo all of the workarounds applied, and then try adding "session optional pam_sss.so" into /etc/pam.d/systemd-user just above the `pam_systemd.so` line? And then check that KRB5CCNAME is set in gvfsd's environment. I don't have an environment to fully test this so I was just able to do it with a hack, but it worked that far for me. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
I do not have tracker-miner-fs.service at all. My instance of gvfsd is started by either ibus-daemon, or "systemd --user". Please see the controversy at https://gitlab.gnome.org/GNOME/gvfs/-/issues/481#note_948506 -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
The upstream bug got reopened now, could you try disabling the tracker service and see if it resolves the issue for you? -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
** Changed in: gvfs (Ubuntu) Importance: Low => High ** Tags added: desktop-lts-wishlist focal -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
The upstream determined that gvfsd as a systemd user session is starting too early in Ubuntu, before the desktop enviroment variables are set. Specifically, KRB5CCNAME env var is missing at the time gvfsd is started, causing this bug. See the detailed report at ttps://gitlab.gnome.org/GNOME/gvfs/-/issues/481 CentOS 8 and Fedora 32 apparently fixed this problem by changing the default preset mechanism for user units, aligning them with the default preset for system units: https://fedoraproject.org/wiki/Changes/Systemd_presets_for_user_units Indeed, there is no good reason to treat user services differently than system services with respect to the default presets. The default preset for user units should be changed to "disable *". -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
Thanks for reporting the issue upstream ** Changed in: gvfs (Ubuntu) Importance: Undecided => Low ** Changed in: gvfs (Ubuntu) Status: Confirmed => Triaged ** Also affects: gvfs via https://gitlab.gnome.org/GNOME/gvfs/-/issues/481 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
The problem persists in Ubuntu 20.04 as well. I attempted to investigate this issue a little further, found that it is caused by a race condition between gvfsd and ibus-daemon, and filed a bug report upstream: https://gitlab.gnome.org/GNOME/gvfs/-/issues/481 My current workaround is hack, but it works: Add this line to the [Service] section in /usr/lib/systemd/user/gvfs- daemon.service: ExecStartPre=bash -c "for i in echo {1..20} ; do ps ax | grep -q \"^${USER}\b.*[i]bus-daemon\" || sleep 0.1 ; done" ** Bug watch added: gitlab.gnome.org/GNOME/gvfs/-/issues #481 https://gitlab.gnome.org/GNOME/gvfs/-/issues/481 -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
As far as I know this problem comes from ubuntu 12.04 and still not resolved. Kerberos now works in ubuntu 18.04. This is ubuntu specific bug. Nautilus in Centos 7.x and 8 works fine with kerberos -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
Happens on Ubuntu 19.04 too. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1779890] Re: Nautilus does not use a valid Kerberos ticket when accessing Samba share
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: gvfs (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1779890 Title: Nautilus does not use a valid Kerberos ticket when accessing Samba share To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1779890/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs